Introduction

Starting with version 4.0, Samba is able to run as an Active Directory (AD) domain controller (DC). If you are installing Samba in an production environment, it is recommended to run two or more DCs for failover reasons.

This documentation describes how to set up Samba as the first DC to build a new AD forest. Additionally, use this documentation if you are migrating a Samba NT4 domain to Samba AD. To join Samba as an additional DC to an existing AD forest, see Joining a Samba DC to an Existing Active Directory.

Disable tools, such as resolvconf, that automatically update your /etc/resolv.conf DNS resolver configuration file. Active Directory (AD) DCs and domain members must use an DNS server that is able to resolve the AD DNS zones.

Verify that no Samba processes are running:

# ps ax | egrep "samba|smbd|nmbd|winbindd"

If the output lists any samba, smbd, nmbd, or winbindd processes, shut down the processes.

Verify that the /etc/hosts file on the DC correctly resolves the fully-qualified domain name (FQDN) and short host name to the LAN IP address of the DC. For example:

The AD provisioning requires root permissions to create files and set permissions.

The samba-tool domain provision command provides several parameters to use with the interactive and non-interactive setup. For details, see:

# samba-tool domain provision --help

When provisioning a new AD, it is recommended to enable the NIS extensions by passing the --use-rfc2307 parameter to the samba-tool domain provision command. This enables you to store Unix attributes in AD, such as user IDs (UID), home directories paths, group IDs (GID). Enabling the NIS extensions has no disadvantages not used. However, to enable them in an existing domain requires to manually extend the AD schema. For further details about Unix attributes in AD, see:

Other parameters frequently used with the samba-tool domain provision command:

--option="interfaces=lo eth0" --option="bind interfaces only=yes": If your server has multiple network interfaces, use these options to bind Samba to the specified interfaces. This enables the samba-tool command to register the correct LAN IP address in the directory during the join.

For details how to start services, see you distribution's documentation.

Configuring the DNS Resolver

Domain members in an Active Directory (AD) use DNS to locate services, such as LDAP and Kerberos. For that, they need to use a DNS server, that is able to resolve the AD DNS zone.

On your domain controller (DC), set the AD DNS domain in the domain and the IP of your DC in the nameserver parameter of the /etc/resolv.conf file. For example:

domain samdom.example.com
nameserver 10.99.0.1

Configuring Kerberos

In an Active Directory (AD), Kerberos is used to authenticate users, machines, and services.

During the provisioning, Samba created a Kerberos configuration file for your domain controller (DC). To use, remove your existing /etc/krb5.conf file and create a symbolic link to the pre-configured Kerberos configuration:

Testing your Samba AD DC

Samba does not provide System V init scripts, systemd, upstart, or other services configuration files.

If you installed Samba using packages, use the script or service configuration file included in the package to start Samba.

If you built Samba, see your distribution's documentation for how to create a script or configuration to start services. For user-created example System V init scripts, see Samba AD Init Script Examples.

Configuring Time Synchronisation

Kerberos requires a synchronised time on all domain members. For further details and how to set up the ntpd service, see Time Synchronisation.

Using the Domain Controller as a File Server

The Samba Active Directory (AD) domain controller (DC) is able to provide file shares, such as all other installation modes. However, the Samba team does not recommend to use a DC as file server because the DC smbd process has some limitations compared with the service in non-DC setups. For example, the auto-enabled acl_xattr virtual file system (VFS) object enables you only to configure shares with Windows access control lists (ACL). Running shares with POSIX ACLs on a Samba DC is not supported. To provide network shares with the full capabilities of Samba, set up a Samba domain member with file shares. For details, see: